Nsight Blog | Ncontracts

3 Lessons Learned from a Third-Party Vendor Breach

Written by Michael Berman | Feb 18, 2021 12:00:00 PM

Late last year while the SolarWinds breach was drawing attention another third-party cyber breach was also wreaking havoc.

Accellion, a company that provides secure third-party communications to the financial services industry, among others, discovered that its 20-year-old file-sharing product, FTA, was breached in a “sophisticated cyberattack”—exposing the data of many of its customers, including the Reserve Bank of New Zealand (RBNZ).

It’s believed RBNZ used the product to receive confidential data from banks. The bank hasn’t said how many people’s sensitive personal information was compromised by the illicit file downloads, but Governor Adrian Orr described the breach as “serious” with “significant data implication.”

Zero-day attacks like the one that impacted FTA are a known risk, making incident response plans a critical control in limiting the impact of such an event. However, the Reserve Bank of New Zealand says that Accellion fell short of the mark.

While the California-based company said it informed all impacted customers of the breach and provided a patch within three days, RBNZ said Accellion waited five days to inform the bank about the breach and the patch that could have prevented a breach of RBNZ’s data.

Other critics observed that the patch came out on Christmas Eve when many customers were out of the office, and not enough was done to ensure they were made aware of the patch after the holiday.

Orr also said RBNZ could have done more to protect data, citing a May report that said the bank needed to “uplift” its cybersecurity.

“While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the Bank has also fallen short of the standards expected by our stakeholders,” he said.

Learn about cyber risk with on-demand webinar Assessing Third-Parties and Measuring What Matters

Data breaches are never good news, but at least other institutions get the benefit of lessons learned. What are the takeaways from this breach?

1. Make sure third-party vendor contracts address data breaches. Third-party vendor contracts need to define breach and include provisions that quantify breach notification timelines in hours or days instead of vague terms like “timely” or “prompt.”

These are basic items to include in a contract, but they are surprisingly overlooked by many institutions. Back in 2017, the FDIC’s Office of the Inspector General analyzed a sampling of bank third-party vendor contracts and discovered that 27 percent of the contracts it reviewed didn’t address incidence response in service-level agreements. About 20 percent of the contracts included the term “timely notification” in contracts but provided no definition, leaving the phrase open to interpretation. Another 43 percent provide a limited definition. The study found terms like “unauthorized access,” “security incident” and “substantial harm or inconvenience” are also frequently used and lack specificity.

These types of contract management oversights continue today. When negotiating contracts, make sure your institution is specific when it comes to expectations for breach notification.

2. Address cyber weaknesses promptly. Assessing the maturity of your institution’s cybersecurity program is important to uncover weaknesses—but it’s not enough. You also have to take action to correct deficiencies.

RBNZ knew it had cybersecurity weaknesses in May, but it sounds like not much was done to correct them. When dealing with findings, high-risk areas like cybersecurity should be high priorities for remediation. Individuals should be assigned responsibility for overseeing the remediation process, reporting progress along the way. The board should be aware of high-profile findings and actively engaged in ensuring they are remediated.

Make sure your findings management process ensures prompt remediation.

3. Established vendors and products need managing too. RBNZ was aware it was using a 20-year-old product that was scheduled for sundown later this year. While it’s not necessary to have bleeding-edge technology, an important part of vendor management is ensuring that the products and services provided by third-party vendors remain suitable and appropriate. Did RBNZ consider moving to a newer or cloud-based technology to improve security? Had it taken steps to evaluate alternatives to prepare for the sunsetting?

Never wait for the last minute to explore options when a contract is expiring. It takes time to move from one product or service to another. Whether it’s onboarding a new vendor or switching to another product from an existing vendor, time is needed to evaluate risk, assess options, negotiate contracts, and implement.

Also, don’t assume that an existing product is still performing as needed. Technology and the financial services environment are constantly evolving. It’s important to regularly evaluate vendor technology choices to ensure they are still a good fit. Just because the product is functional doesn’t mean it’s delivering everything your institution needs. Due diligence and risk assessments are the only way to know for sure.

Visit our Data Breach Resource Page for information on responding to and preventing data breaches.

 

Vendor Risk Countdown: Top 10 Risks Third-Party Vendors Pose to Your Financial Institution